Connected, deliberately

Integrations that deepen the workflow without hiding the boundary.

Threat Foundry keeps connection mode, source scope, review state, and data ownership explicit. Start with offline imports or bounded sync, then add operational systems when ready.

Threat intelligence

Bring intelligence in without surrendering control.

MI

MISP

Bounded, read-only event synchronization through a configured integration. Review normalized entities before downstream use.

Read-only sync
OC

OpenCTI

Bounded, read-only GraphQL intake from a configured server and token. Entity and relationship content stays tenant-owned.

Read-only sync
SX

STIX 2.x

Upload a bounded STIX bundle for review when a live platform connection is not appropriate for the environment.

File intake

Architecture inventory

Seed Threat Blueprints from offline cloud exports.

Export inventory from the customer cloud, inspect the file, and import it without granting Threat Foundry standing cloud credentials.

AW

Amazon Web Services

Import a supported bounded inventory export to propose components, relationships, and security zones for analyst review.

Offline export
AZ

Microsoft Azure

Translate supported Azure inventory exports into Blueprint proposals without a live control-plane connection.

Offline export
GC

Google Cloud

Use supported Cloud Asset inventory exports to seed a reviewable architecture model.

Offline export

Operations ecosystem

Connect execution and handoff systems at your pace.

SI

SIEM search

Run approved queries against configured search platforms. Query policy and overrides remain visible.

ED

Endpoint and host context

Use configured endpoint or host tooling for bounded investigation pivots and checks.

TK

Ticketing

Export reviewed case work to configured ticket providers while retaining the internal evidence record.

AI

AI providers

Use configured models for assisted drafting and analysis with billing controls, warnings, and enforced stop thresholds.

AP

API Connect

Manage supported API credentials through tenant-aware configuration rather than hardcoded application values.

FL

Field normalization

Map customer field aliases into a consistent entity model for investigation and reporting.

Deployment note

Availability depends on licensed third-party products, configured credentials, supported export formats, and customer policy. Threat Foundry does not imply a vendor partnership unless explicitly stated.

Start with the workflow

Map Threat Foundry to your current stack.

We will identify what can work on day one, what requires a connection, and where offline import is the safer first step.

Request a working session